The Cyber Resilience Act is set to introduce a wide-ranging framework governing the cybersecurity of digital products sold in the EU. The draft Act sets out essential cyber security requirements for the design, development, and production of "products with digital elements" (PDEs).

Broadly speaking, PDEs refer to all hardware and software products with some exceptions, such as medical devices, national security, and vehicles regulated elsewhere.

Manufacturers, developers, and vendors will need to meet the CRA requirements before their product can be put on the market in the EU.

All the essential requirements are set out in Annex I of the CRA, broadly covering:

• Embedding Secure-by-Default principles from the outset
• Ensuring the product does not have any known exploitable vulnerabilities
• Implementing authentication and identity or access management systems
• Protecting the confidentiality and integrity of data (through encryption or other technical means, for example)
• Protecting the availability of essential functions
• Designing, developing, and producing products to limit attack surfaces, including external interfaces
• Providing security-related information
• Ensuring vulnerabilities can be addressed through security updates

It also sets out essential requirements for the vulnerability handling processes to be put in place (see Annex II) to ensure cybersecurity is considered for the whole life cycle of a product. This includes drawing up a software bill of materials (SBOM).

Products deemed "important" under the Act will be required to apply a relevant standard or undergo a third-party assessment to demonstrate their compliance.

Once the Act enters into force, the Commission will be able to direct standardisation organisations to draft harmonised standards for the essential requirements. This will build on work by the European agency ENISA, which has already been working on three cyber security certification schemes as part of the Cyber Security Act, including the EU's Common Criteria (EUCC) for ICT products, the Cloud Certification Scheme (EUCS), and the EU5G Certification Scheme.

For a small number of products considered "highly critical", manufacturers and vendors will have to gain mandatory EU certification before they can sell the product into the EU.

Once the CRA is enacted, vendors, manufacturers, and developers will have 21 months to comply with the incident and vulnerability requirements and 36 months to comply with the remaining requirements.

Outside of the EU, governments are pursuing a mix of mandatory and voluntary measures to enhance hardware and software security standards. This includes the United Kingdom, where manufacturers of consumer IoT devices must comply with the requirements set out in the UK Product Security and Telecoms Infrastructure (PSTI) Act 2021.

The UK Government is also crafting and driving the uptake of Codes of Practices for Apps and App Stores and software security. While these Codes are voluntary at this stage, they could be mandated in the long term.

While the compliance deadlines for vulnerability reporting and cyber security requirements are still at least 21 months and 36 months away, respectively, affected organisations must begin building security considerations into their product development cycles now. Failure to do so could mean that new products in development today will not meet the standards required to be sold into the EU market in a few years' time.

Breaking these regulations will not only make new products less secure but also come with a hefty cost. Non-compliance could result in fines of up to €15 million or up to 2.5 % of the organisation's total worldwide annual turnover for the preceding financial year—whichever is higher.

While the Act's coming into effect may seem some time away, manufacturers are advised to begin preparing for these legislative changes sooner rather than later.

Specifically, we recommend prioritising the following steps:

1. Determine which products within your portfolio will be introduced once the CRA comes into force. This includes any new products, as well as those which are due to have a substantial modification regarding (security) functionality.
2. For each product, determine which category they fall under and whether self-assessment, an independent conformity assessment, or certification is required.
3. Start creating a Software Bill of Materials (SBOM) for all software components in the product portfolio. Note that there is yet to be a consensus on the required depth of SBOM.
4. Create a process to monitor, fix and report vulnerabilities, aligning with existing standards such as ISO/IEC 29147:2018.

Now is an excellent time to ensure you are following best practices, adhering to the existing certifications introduced through the EU Cybersecurity Act, and making security a priority throughout the production process.

For more support with achieving compliance with the Cyber Resilience Act, contact NCC Group today.

Neil Bellamy, our Head of TMT & Services, says: “The recent mass IT outage caused by an update to antivirus software by cyber security business, Crowdstrike is a timely reminder that IT has become a vital part of business operations and can cause chaos when it goes wrong.

“The Cyber Resilience Act aims to make devices safer by implementing more rigorous cybersecurity, documentation and vulnerability reporting requirements in the EU IT industry. Firms must begin building security considerations into their product development cycles now. Not only do you risk non-compliance with EU law and huge fines but reputational risk that could be terminal for your business.”

Talk to your usual bank representative for more support with cyber resilience.